Legal

Privacy Policy

Effective date: April 10, 2026

This Privacy Policy explains how QuicklyGenerateQR ("we," "us," the "Service") collects, uses, discloses, and protects personal data in connection with the website quicklygenerateqr.codes and its related features.

We take privacy seriously. This policy is written to be understandable rather than to protect us from you — if anything here is unclear, email czajnikolandia@gmail.com and we will explain.

1. Data Controller

The data controller responsible for your personal data under Regulation (EU) 2016/679 ("GDPR") is:

  • Lukasz Czajkowski, an independent developer operating QuicklyGenerateQR as a sole proprietor
  • Country: Poland
  • Contact: czajnikolandia@gmail.com

For all privacy, data access, deletion, or correction requests, write to the email above. We will respond within 30 days, as required by Article 12(3) GDPR.

2. What We Collect

2.1 When you use the free generator without an account

You can create static QR codes without registering or providing any personal information. When you use the free generator anonymously:

  • The content you enter (URLs, text, WiFi credentials, vCard details, etc.) is processed by our server only to render the QR code image you download. It is not stored on our servers and is not linked to any identifier.
  • Technical request data such as your IP address, user agent, and request timestamp is processed briefly for rate limiting, abuse prevention, and security. This data is handled in-memory or retained for a maximum of 24 hours for security auditing, then discarded.

2.2 When you create an account

Creating an account is optional and is only required for dynamic QR codes, scan analytics, and paid plans. When you register, we collect:

  • Email address — required for authentication, account recovery, and transactional notifications.
  • Name — optional, used only for personalization in the dashboard.
  • Password (hashed with bcrypt) — never stored in plaintext and never visible to us.
  • Google account identifier — if you sign in with Google OAuth, we receive your email, name, and profile image URL from Google. We do not receive your Google password.

2.3 When you create and manage QR codes in your account

  • QR code content (URLs, vCard data, menu items, etc.) that you save to your account.
  • Design preferences (colors, logos, shapes).
  • Uploaded logo files — stored on Vercel Blob under your account.
  • Folder and organizational metadata.

2.4 Scan data for dynamic QR codes

When someone scans a dynamic QR code that you created, we log the scan event to provide you with analytics. Each scan event includes:

  • Timestamp
  • Approximate geographic location derived from IP (country and region level, not precise location)
  • Device type (iOS, Android, other) derived from the user agent
  • Referring page, if applicable

We do not store raw IP addresses linked to scan events beyond what is needed for the derivation above. We never associate scan data with the identity of the person who scanned — only with the QR code that was scanned.

2.5 Payment data

If you subscribe to a paid plan, payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or banking details. We receive and store only:

  • A Stripe customer identifier
  • Your subscription status, plan, and renewal date
  • Billing country (for tax calculation)

See Stripe's Privacy Policy for details on how Stripe handles your payment information.

2.6 Analytics and cookies

We use the following analytics tools:

  • Vercel Analytics — collects anonymous, aggregate page view data without cookies. No personal identifiers are stored.
  • Google Analytics 4 — only loaded after you give explicit consent via our cookie banner. If you decline, Google Analytics is not loaded at all.
  • Google AdSense— if and when ads are enabled on this site, Google and its partners will use cookies to serve ads based on a user's prior visits to this and other websites. You can opt out of personalized advertising by visiting Google Ads Settings.

3. Legal Basis for Processing (GDPR Article 6)

We process personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)) — for account creation, QR code management, and paid subscriptions.
  • Consent (Art. 6(1)(a)) — for Google Analytics, advertising cookies, and any non-essential cookies. You can withdraw consent at any time via the cookie banner.
  • Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, rate limiting, and aggregated service improvements that do not override your rights.
  • Legal obligation (Art. 6(1)(c)) — for tax record-keeping and compliance with applicable laws in Poland and the European Union.

4. Third-Party Processors

We rely on the following third-party processors, each of whom provides appropriate data protection safeguards under data processing agreements:

  • Vercel, Inc. — hosting, CDN, serverless functions, Vercel Analytics, and Vercel Blob storage.
  • Neon, Inc. — managed PostgreSQL database.
  • Upstash, Inc. — Redis cache and rate limiting.
  • Stripe, Inc. — payment processing and subscription billing.
  • Resend — transactional email delivery (account verification, password reset, receipts).
  • Cloudflare, Inc. — Turnstile captcha for abuse prevention.
  • Google LLC — Google OAuth sign-in (optional), Google Analytics (consent-based), and Google AdSense (where applicable).

5. International Data Transfers

Some of our processors (including Vercel, Stripe, and Google) are headquartered in the United States. When personal data is transferred outside the European Economic Area, we rely on the EU-U.S. Data Privacy Framework and the European Commission's Standard Contractual Clauses as transfer mechanisms under Article 46 GDPR.

6. Data Retention

  • Account data — retained for as long as your account is active. If you delete your account, all personal data is erased within 30 days, except where retention is legally required.
  • QR codes you created — retained for as long as your account is active. Deleting a QR code removes it immediately from active systems; backups are purged within 30 days.
  • Scan analytics — aggregated scan counts and derived metrics are retained for the lifetime of the QR code. Individual scan events with timestamps are retained for 24 months, after which they are aggregated and the individual rows are deleted.
  • Anonymous generator requests — content is not stored. Security logs are retained for up to 24 hours.
  • Billing and tax records — retained for 5 years as required by Polish tax law.
  • Email delivery logs — retained for 30 days by Resend for deliverability troubleshooting.

7. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure(Art. 17, the "right to be forgotten") — request deletion of your personal data.
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
  • Right to object (Art. 21) — to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent (Art. 7(3)) at any time, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with the Polish supervisory authority, Urząd Ochrony Danych Osobowych (UODO), at uodo.gov.pl.

To exercise any of these rights, email czajnikolandia@gmail.com. We will respond within 30 days.

8. Cookies

We use a minimal set of cookies:

  • Essential cookies — required for authentication and site functionality. These cannot be disabled.
  • Analytics cookies (Google Analytics) — only set if you explicitly consent via the cookie banner.
  • Advertising cookies (Google AdSense) — if and when ads are served, only with your consent where required by law.

You can manage your cookie preferences at any time via the cookie banner or by clearing cookies in your browser settings.

9. Children

QuicklyGenerateQR is not directed at children under 16, which is the digital consent threshold in Poland under Article 8 GDPR. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact czajnikolandia@gmail.com and we will delete it.

10. Security

We implement technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS/TLS), password hashing (bcrypt), rate limiting, captcha for abuse prevention, and least-privilege access controls. No internet service can guarantee absolute security, but we take our obligations seriously and will notify affected users and supervisory authorities within 72 hours if a personal data breach occurs, as required by Article 33 GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email (for account holders) and prominently on this page. The "Effective date" at the top reflects the most recent revision.

12. Contact

For any privacy-related question, request, or concern:

You also have the right to lodge a complaint with the Polish data protection authority (UODO) if you believe we have violated your rights under GDPR.